There are new articles available, click to refresh the page.
Before yesterdayCrowdStrike

How CrowdStrike’s Machine Learning Model Automation Uses the Cloud to Maximize Detection Efficacy

1 July 2022 at 13:41
  • The CrowdStrike Falcon® platform takes full advantage of the power of the CrowdStrike Security Cloud to reduce high-cost false positives and maximize detection efficacy to stop breaches 
  • CrowdStrike continuously explores novel approaches to improve machine learning automated detection and protection capabilities for Falcon customers
  • CrowdStrike’s cloud-based machine learning model automation can predict 500,000 feature vectors every second and cover 10TB of files per second to find detections

 At CrowdStrike, we combine cloud scale with machine learning expertise to improve the efficacy of our machine learning models. One method for achieving that involves scanning massive numbers of files that we may not even have in our sample collections before we release our machine learning models. This prerelease scan allows us to maximize the efficacy of our machine learning models while minimizing negative impact of new or updated model releases.

It’s important to understand that machine learning models take over when discrete algorithms fall short. CrowdStrike machine learning does an excellent job of creating models that can detect impactful in-the-wild novel threats like NotPetya, BadRabbit or HermeticWiper along with other malware families. CrowdStrike’s comprehensive detection capabilities have been consistently validated in independent third-party testing from leading organizations including AV-Comparatives. However, machine learning looks at the world through probabilities, and those probabilities can make understanding why an incorrect detection was made unpredictable and difficult to understand.

Incorrect detections, also known as false positives, are a concern with any endpoint security solution and exacerbate the ongoing skills shortage most organizations face. Any incorrect assessment of a clean file as malicious can immediately trigger remediation procedures that can take down services, disrupt workflows and distract analysts from hunting down legitimate threats. However, not all false positives are created equal, for the cost of any mistakes should be compared to the benefit given by correct detections. CrowdStrike has implemented novel solutions to the false positive predicament.

Clean or Dirty: Know the Difference

One approach involves accumulating billions of files in our cloud. These files come from various sources, ranging from protected environments to public malware collections, at a rate of approximately 86 million new hashes a day. The collection includes malicious code, clean code and unwanted code, such as potentially unwanted programs. 

To build our machine learning models, we carefully curate both clean and “dirty” (i.e., malicious) samples from this collection, resulting in a labeled collection that is growing by tens of millions of new examples every training cycle.

Extract the Right Features

To ensure the quality of the resulting models, we also gather from live environments the most interesting files to maximize the efficacy of the model. While some customers use the Falcon platform to share files with us so we can improve our coverage capabilities, others keep their files in-house for a variety of reasons. As a consequence, to build an effective model, we must ensure that it can perform well on in-house files not shared with us as well as on those that have been shared. However, to teach a machine learning model, first you must reduce these interesting files to a long list of transformed numeric values, called a feature vector, that represent various properties of the file. 

As humans, we learn to use our senses to extract features from the surrounding environment and then infer probable outcomes based on past experience. For example, if it’s cloudy outside and there’s a damp breeze, we infer there’s a high chance of rain and we need to grab an umbrella. In this case, cloudy and damp can be considered data points part of the feature vector that describes chances of rain. 

Of course, the feature list for files contains thousands of decimal numbers that humans can’t read but our artificial intelligence (AI) understands. That feature vector is uploaded to the cloud by the Falcon sensor, making it possible for us to observe what a new model would say about the underlying file by running predictions over that stored feature vector.

Figure 1. This flow describes how feature vectors and metadata are sent to the CrowdStrike Security Cloud and used against our machine learning model to help build better predictions.

Returning to the rain example, the feature vector with the two data points of cloudy and damp is assessed against what we know from experience to be signs of rain. If our experience has taught us that these two particular data points have a high probability of describing chances of rain, then we grab an umbrella. Otherwise, we assess this with low chances of rain. Much like machine learning models, it comes down to how well we are trained in spotting and recognizing signs of rain.

Measure Efficacy, Get It Right!

The same file feature vector can also be combined with additional information such as the prevalence of files that is contained within our security cloud. This means we can virtually scan all prevalent files in protected environments to measure efficacy and test for false positives. 

The results of this virtual scan are important for a number of reasons. First, it enables us to identify important files which will have a high impact in the next model release.  Second, we can minimize potential high-cost false positives prior to deployment.  Finally, this information is used to teach future models. 

For example, based on a prevalence threshold, we advance our scan to include all files found on a significant number of devices. We then consider all of our detections. Those that are incorrect we resolve with our cloud by replying to our sensors to prevent future detection, and include the files that triggered an incorrect detection in the next retrain of our model. Correct detections, on the other hand, are added both to our cloud for immediate detection and to the files used in training our models in the future. 

Again, returning to the rain example, this virtual scan is like checking multiple weather forecasting websites as soon as we have the two signs — cloudy and damp — before leaving the house with or without an umbrella. Some of those websites may be correct in predicting rain, others may not, but the next time it’s cloudy and damp we will know which websites are reliable before we go outside and risk being caught in the rain without an umbrella.

CrowdStrike’s Automated Cloud-Based Machine Learning Model Maximizes Efficacy

While CrowdStrike analysts inspect millions of files, the number of files detected as malicious is remarkably small enough that they can be analyzed by hand. Because our analysts and processes work better on samples that we have instead of information about samples, we start our analysis with those detections we can also find in our massive sample store. 

Using feature vectors, the Falcon platform enables us to know quite a bit about the files we don’t have, and also allows us to use the power of the cloud to enhance detection or resolve incorrect detections of files not contained in our sample store.

Comparing global virtual scans of prevalent files against all of our static detection models is critical in pushing the accuracy and efficacy of our machine learning models to help secure our customers and stop breaches.

In essence, the power of the Falcon platform lies in its ability to take full advantage of the massive data fabric we call the CrowdStrike Security Cloud, which correlates trillions of security events from protected endpoints with threat intelligence and enterprise telemetry. The Falcon platform uses machine learning and AI to automate and maximize the efficacy of detecting and protecting against threats, to stop breaches.

Additional Resources

Tales from the Dark Web: How Tracking eCrime’s Underground Economy Improves Defenses

30 June 2022 at 19:46

Cybercriminals are constantly evolving their operations, the methods they use to breach an organization’s defenses and their tactics for monetizing their efforts. 

In the CrowdStrike 2022 Global Threat Report, we examined how the frequency and sophistication of ransomware attacks has grown in the past year. CrowdStrike Intelligence observed an 82% increase in ransomware-related data leaks in 2021 compared with 2020; further, we found 62% of attacks use hands-on-keyboard activity — indicating adversaries continuously advance their tradecraft to bypass legacy security solutions and extort victims via highly targeted data leaks. What are the forces driving this growth, and how exactly do cybercriminals make money?

The Fast-Growing, Lucrative Business Model Enabled by RaaS

Ransomware is not new; adversarial groups have relied on compromises for many years. However, over the past 2-3 years, their strategy has started to shift toward a more community based business model enabled by ransomware-as-a-service (RaaS) platforms that allow smaller, less advanced criminals to join a larger operation. 

At the top of this model is an operator who sets up a RaaS platform that takes care of multiple technical tasks such as on-demand ransomware packaging, command and control of deployed ransomware, cryptography, data extraction, archiving, online extortion and others. 

Less sophisticated cybercriminals with minimal hacking knowledge can join this operation after being vetted; when they do, they’ll receive 70 to 80% of the paid ransom. These emerging criminals are also assisted by access brokers, through which they can acquire access to the infrastructure of a potential victim. The interaction between all these criminal entities — RaaS operators, vetted affiliates, access brokers and other participants — happen via criminal forums, underground markets and anonymous posts. CrowdStrike continuously monitors these environments, and users may receive alerts regarding market and forum activity.

Access Brokers: How Adversaries Get In

The eCrime kill chain is often enabled by access brokers, the intruders who gain access to an organization’s infrastructure and then sell illicitly obtained credentials and other access methods to buyers in underground communities.

Adversaries buy compromised credentials to make the process of getting into a target organization easier and more efficient. Access brokers sell a broad range of access types, including financial account logins, business email account credentials, remote access to network assets and custom exploits for IT infrastructure.

To advertise compromised credentials and other access methods on the underground, access brokers use particular keywords and target specific marketplaces. However, their posts often leave behind “breadcrumbs” that offer defenders an opportunity to detect compromised accounts or risks of security incidents. For example, an access broker may include attributes such as company details (size, revenue, industry), IT infrastructure details, the malware used to steal credentials, or the access broker’s alias.

The amount of chatter on underground forums is massive. CrowdStrike’s managed service, Falcon X Recon+ provides security teams assistance by offering custom expertise to monitor and triage threats found in these forums on your behalf. CrowdStrike experts can guide organizations of all sizes to identify unwanted data exposure or threats like account takeovers and brand-targeted attacks. 

Distribution Services: A Force Driving Ransomware

CrowdStrike’s analysis of ransomware campaigns by groups such as Pinchy Spider, also known as REvil, Wizard Spider (Conti) and Carbon Spider (DarkSide) has made it clear the operators behind these campaigns no longer work alone, in particular when compromising assets and injecting the ransomware. Ransomware operators advertise on underground forums to recruit affiliates who can help them distribute ransomware and share the profits. 

These affiliates leverage RaaS infrastructure from the operators. After targeting and compromising a victim’s assets, they drop ransomware from the RaaS platform, set the ransom demand and get 70 to 80% of the ransom payment in return. Victims are often chosen based on the likelihood they’ll be able to afford a ransom; affiliates often calculate ransom payouts based on company revenue and business impact to maximize their profits. 

Operators provide technical services in return for affiliates’ help in distributing ransomware. They may provide a packager to generate customized ransomware so affiliates can distribute over their own channels; cryptographic key management; or internet infrastructure for data exfiltration and storage. They may share payment instructions to receive virtual currencies from victims; secret communication channels to hide affiliates when they talk to victims; and even a help desk to aid victims in paying the ransom. These services give a boost to less tech-savvy adversaries, who benefit from access to technically advanced malware at low cost. 

CrowdStrike Intelligence analysts found multiple initial access and lateral movement techniques that affiliates use before deploying ransomware. By changing how they distribute ransomware, adversaries can find new ways to bypass security measures. Below are a few examples of how attackers gain initial access:

  • Buying stolen credentials from access brokers. Affiliates often use legitimate  credentials to gain a foothold. Remote Desktop Protocol (RDP) is a popular entryway.
  • Spam or social engineering. Among the most common initial access vectors.
  • Vulnerability scanning and exploit kits. These kits can be found on multiple forums and target specific software or systems to gain access and install additional code . Exploit kits can be combined with phishing campaigns to boost their effectiveness.
  • Loader and botnet usage. Loaders, often a step between phishing campaigns and ransomware deployment, use malicious documents like macro-enabled spreadsheets to download and execute malicious code.
  • Post-exploitation tools and “living off the land.” Adversaries that access a system will explore the network to find critical data or applications that can help further an attack. Some use system tools like PSExec or PowerShell scripts to remain hidden.

A better understanding of adversary techniques can help improve your defenses. Organizations must know which attackers are targeting their region or industry, whether they are recruiting affiliates, and how their ransomware is distributed.By understanding the adversary and their tools, defenders can employ an intelligence-first defense strategy based on the threats they face.

Monetization: How Cybercrime Pays

Once ransomware is deployed into a victim environment, the prize needs to be split and monetized into other payment forms. CrowdStrike’s observations of the cybercrime ecosystem offer new insights into adversaries, their transactions and valuation of recent compromises — all of which can help defenders understand how money flows in cybercrime and strengthen their security strategies.

Adversaries constantly evolve their monetization techniques to maximize the chance of payment. Their methods are working: reports from the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCen) and the Office of Foreign Assets Control (OFAC) underscore how lucrative ransomware has become. FinCen found the value of suspicious activity detailed in ransomware-related suspicious activity reports (SARs) was $590 million USD in the first six months of 2021 — far higher than the $416 million USD reported in all of 2020. Further, CrowdStrike’s Intelligence team also tracks ransomware demands: in 2021, we calculated an average demand of $6.1 million USD, an increase of 36% from 2020. 

If a victim refuses to pay ransom, their data may be auctioned by the threat actor so they can still make money on it by selling it to other parties or adversaries.

Corporate data is valuable to all adversaries. Once they have it, the data can be easily monetized and present increased risk to your organization if other attackers have access to it. Defenders must develop a stronger understanding of cybercriminals’ behavior — and the broader eCrime ecosystem — in order to make smarter security decisions that best protect data as their most valuable asset.

In the “Tales from the Dark Web” white paper series, we explore the increased specialization of adversaries inside the criminal underground. This includes the changing tradecraft for gaining initial access, achieving lateral movement, exfiltrating data and leveraging it to extort their targets. By understanding how adversaries specialize in these critical areas to gain scale and efficiency, organizations can better prepare their defenses. 

Rather than simply illustrate the problems defenders face, the insights from these white papers will arm security teams with actionable information, enabling them to better prepare for the attacks emerging from the criminal underground. 

Additional Resources

Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers

29 June 2022 at 18:52

Adversaries often exploit legacy protocols like Windows NTLM that unfortunately remain widely deployed despite known vulnerabilities. Previous CrowdStrike blog posts have covered critical vulnerabilities in NTLM that allow remote code execution and other NTLM attacks where attackers could exploit vulnerabilities to bypass MIC (Message Integrity Code) protection, session signing and EPA (Enhanced Protection for Authentication)

The PetitPotam vulnerability, combined with AD-CS relay, is one of the recent severe NTLM relay variations the CrowdStrike Identity Protection research team have seen, which indicates its high popularity. While the latest Microsoft security update — released on Patch Tuesday, May 10, 2022 — included a patch for the aforementioned vulnerability, it does not fully mitigate the issue. It does, however, change the requirements from being able to run the attack unauthenticated, to requiring any Active Directory account credentials to trigger the attack. 

In this blog, we detail the fix, the remaining issues and an enhancement to Falcon Identity Protection’s existing NTLM relay detection, which detects exploitation of the PetitPotam vulnerability and similar authentication coercion techniques.  

PetitPotam and NTLM Relay

NTLM relay has always been a popular attack technique. In the past, the biggest challenge was to solicit a user account to authenticate to an attacker-controlled machine; now it seems that endpoint authentication coercion mechanisms are gaining popularity. 

The most popular targets, for obvious reasons, are domain controllers, as their high privileges make them a lucrative target for authentication relay attacks. The first authentication coercion mechanism involved the Print Spooler service, while the newer one relies on the MS-EFSRPC protocol. The latter is also known as the PetitPotam attack. When combined with the insecure default configuration of the Active Directory Certificate Services (AD-CS), which does not enforce Extended Protection for Authentication (EPA), it could be deadly as it can lead to a full domain compromise in a few steps. An attacker could trigger a domain controller authentication by exploiting the PetitPotam vulnerability and relaying it to the AD-CS server to request a certificate for the domain controller account. Using this certificate, a malicious actor can then retrieve a TGT for the relayed domain controller account and perform any further operations using its high privileges (e.g., dump domain admin hashes). 

One of the most severe issues with the PetitPotam vulnerability, prior to Microsoft’s latest security updates, was that an attacker could run the attack unauthenticated (i.e., only network access to the domain controller was required). The patch only partially mitigates the issue, meaning an attack is still possible.

The Released Fix(es) and Remaining Issues

The Microsoft security update released on Patch Tuesday, May 10, 2022, included a partial patch for the PetitPotam vulnerability. This update, however, also caused authentication failures for various Windows services such as Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP). According to Microsoft, “An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller.” 

As a workaround, Microsoft recommended to manually map certificates to Active Directory accounts or follow KB5014754 for other possible mitigations. Because of the issues caused by the patch, CISA warned against deploying it on domain controllers, which left many organizations wide open to the unauthenticated PetitPotam authentication coercion attack. On May 19, 2022, an out-of-band update was made available to fix the authentication failures caused by the latest security update.

It is important to note that the security update states, “This security update detects anonymous connection attempts in LSARPC and disallows it,” which leaves the question: Does the coercion attack still work using an authenticated user?

Following some testing, it looks like the answer is yes!

While the PetitPotam vulnerability, when patched, will no longer work unauthenticated, it can still be abused by leveraging any Active Directory account credentials to trigger domain controller NTLM authentication, which can be relayed to a escalate to domain admin privileges if the required security settings are not enforced (as previously mentioned, EPA is not enforced by default on AD-CS servers).

Moreover, PetitPotam is no longer the newest authentication coercion method; the attack tool DFSCoerce, which abuses the MS-DFSNM protocol to trigger domain controller authentication, has since been released. 

Enhancing CrowdStrike Identity Protection NTLM Relay Detection

Because an authenticated user can still trigger an NTLM authentication from the domain controller, the NTLM relay attack vector remains relevant for domain controller accounts. This is why the NTLM relay detection capability of CrowdStrike Falcon Identity Threat Protection was enhanced to detect attempts to perform NTLM relay using domain controller credentials. The benefit of this detection is that it is not tied to any single authentication coercion method, but will detect a relay attack no matter if it is initiated by the PetitPotam vulnerability, the newer DFSCoerce tool or any coercion mechanism discovered in the future.

(Click to enlarge)

Watch this video on Falcon Spotlight™ to see how you can monitor and prioritize NTLM relay issues and other vulnerabilities within your environment, and this video to learn how Falcon Identity Threat Protection  helps ensure comprehensive protection against identity-based attacks in real time.

Additional Mitigations

Though patching is an important first step against the latest NTLM relay vulnerabilities, it is not enough, as many unsecured defaults can leave your domain vulnerable. This is why we recommend following these steps:

  1. Enforce Signing (SMB/LDAP) and Extended Protection for Authentication (EPA) for all relevant servers, especially the AD-CS servers, which are a common target of this attack.
  2. Track any failed/successful NTLM relay attempts performed in your domain network. Using the enhanced detection capabilities of the CrowdStrike Falcon Identity Threat Protection, customers can now be alerted on NTLM relay attacks abusing domain controller accounts.
  3. Disable NTLM. Because this is a potentially breaking change that requires a lot of time in most environments, start by disabling NTLM support on servers that may be targeted during a relay attack and are not sufficiently protected. For example, if for any reason you are unable to enforce EPA on the AD-CS server, disable incoming NTLM on that server to protect it from NTLM relay attacks.

Additional Resources

  • Learn more about popular attack techniques at Fal.Con 2022, the cybersecurity industry’s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21!  
  • Learn how CrowdStrike Falcon Identity Protection reduces costs and risks across the enterprise by protecting workforce identities.
  • Watch this video to see how Falcon Identity Threat Protection detects and stops ransomware attacks.
  • Learn how the powerful CrowdStrike Falcon platform provides comprehensive protection across your organization, workers and data, wherever they are located.
  • Get a full-featured free trial of CrowdStrike Falcon Prevent™ and see for yourself how true next-gen AV performs against today’s most sophisticated threats.

Falcon OverWatch Elite in Action: Tailored Threat Hunting Services Provide Individualized Care and Support

29 June 2022 at 18:35

The threat presented by today’s adversaries is as pervasive as it is dangerous — eCrime and state-nexus actors alike are attempting to infiltrate companies and organizations of all sizes and across all verticals. 

While technology is a powerful tool for performing routine or repeatable analysis, the only way to effectively hunt and contain sophisticated and determined cyber threat actors is to use the expertise and ingenuity of human threat hunters.

The Telescope and the Microscope: Two Sides of the Threat Hunting Coin 

Threat hunting is an ever-evolving discipline that proactively tracks changes in adversaries’ behavior. It requires a broad awareness of the threat landscape — the telescopic view — and can be augmented by a deeper understanding of a customer’s pain points or areas of identified risk — the microscopic view. The most comprehensive threat hunting leverages both the telescopic and microscopic viewpoints, blending the insights gained from both perspectives to safeguard a customer’s assets from threats.

The CrowdStrike Falcon OverWatch™ team’s continuous hunting operations are driven by a world-class team of dedicated in-house threat hunters — individuals who are relentlessly committed to honing their craft and dedicated to the mission of stopping breaches. OverWatch analysts track the most stealthy and persistent hands-on-keyboard campaigns, actively hunting for that last 1% of malicious activity deliberately seeking to subvert technology-based controls. 

Using patented hunting tools, OverWatch hunters leverage the power of the CrowdStrike Security Cloud to hunt across in excess of one trillion events a day — proactively searching for that malicious activity designed to blend in with the benign. Given the sheer breadth of information available to them, OverWatch analysts are skilled at identifying even the faintest signs of activity indicative of threat actor behavior and emerging threats, enabling customers to rapidly disrupt malicious behavior before its impact is felt.

The Power of Elite Tailored Threat Hunting

For organizations that are looking for an active partnership with their hunters, CrowdStrike offers OverWatch Elite — the personalized customer engagement add-on for  CrowdStrike’s Falcon OverWatch managed threat hunting service. 

OverWatch Elite builds on the continuous 24/7 human-led threat hunting provided by OverWatch, leveraging the ability to hunt across global telemetry to address areas of concern identified by customers. OverWatch Elite customers have access to an assigned threat analyst who provides a range of services to drive improved maturity across a customer’s internal security team. These services include expert coaching to support any in-house hunting efforts, regular threat updates, and a dedicated line of communication to address any queries or concerns as they arise. In partnership with their assigned analyst, customers can develop, operationalize and tune their threat hunting programs to ensure that supplementary threat hunts are tailored to their needs.

OverWatch Elite analysts build close partnerships with their assigned customers to develop a shared understanding of an organization’s unique structure and requirements. OverWatch Elite analysts are then able to tune their tools to the particular nuances found within a customer’s environment. In addition to addressing the customer’s needs, this fine-tuning enables all OverWatch analysts to more easily identify hands-on-keyboard activity and respond promptly to potential threats. 

The fast, closed-loop communication between customers and the OverWatch Elite team allows for greater collaboration to address  issues. Whether a customer has seen the news about a recent vulnerability or read an intelligence report about certain threat actors targeting companies in their sector, assigned analysts are available to listen and respond to these concerns by performing threat hunts tailored to address them. 

Working Better Together

It is important to recognize that these two parts of OverWatch share a common mission: stopping breaches. OverWatch and OverWatch Elite analysts work hand-in-hand daily to ensure all customers are protected against those malicious hands-on-keyboard activities designed to evade detection. All teams under the OverWatch umbrella work together continuously to provide the best customer service possible. 

OverWatch Elite Manager Gareth Willams puts it best: “You can’t look at the moon with a microscope and you can’t use a telescope to see small objects, but both give you a great field of vision.” 

In addition to tailored threat hunting services, OverWatch Elite offers several additional  features that truly make this a customer engagement-centric managed threat hunting service. Additional offerings include 60-minute call escalation for critical threats, which provides OverWatch Elite customers added peace of mind when it comes to rapidly disrupting adversary activity within their environments. OverWatch Elite customers are also invited to a private Slack channel where they can reach an OverWatch Elite analyst to respond with speed and confidence.

For more information, please visit OverWatch Elite’s page on CrowdStrike’s website.

Additional Resources

  • There are no more articles